Policy Corner: Information Security and Privacy

As we shift our attention to information security and privacy policies, consider the following scenario where a well-intentioned community event exposed how easily gaps in data-handling practices can put patrons at risk. 

The Gotham Public Library—a  fictional, small, rural library in Texas—partnered yet again with the Madame Selina Kyle Foundation; this time to host a free digital literacy workshop and asked participants to provide their name, home address, phone number, email address, and library card number using a shared Google Form created by a volunteer. In the days following the event, several attendees began receiving unsolicited emails from LexCorp and phone calls promoting Harvey Dent’s election campaign. One patron filed a complaint, stating the only place they had shared that information was with the library. When staff investigated, they realized there was no written policy governing how patron information should be collected, stored, shared, or deleted, and the volunteer still had access to the form and its responses on a personal device. Because the library lacked a formal information security and privacy policy, staff were unsure how to respond, whether a legal violation had occurred, or what corrective actions were required. The incident ultimately eroded community trust and raised concerns at the next city council meeting about the library’s data handling practices – prompting Library Director Barbara Gordon to collaborate with her staff and key stakeholders to draft a formal policy.

Because privacy policies are about more than just protecting data—they’re one of the clearest ways a library demonstrates its respect for patron trust—revisiting yours ensures that the library’s information practices not only honor confidentiality but also remain grounded in your community’s needs. And right now, it matters more than ever: in April, the Texas State Library and Archives Commission (TSLAC) approved updated accreditation criteria for Texas public libraries. These new minimum standards, outlined in the Texas Administrative Code, officially went into effect September 1, 2025, and will first be used for accreditation with the 2026 Annual Report. Among the revisions is a new requirement that every library have written policies for circulation, collection development, technology use, and information security and privacy. Libraries will certify these policies in the 2027 Annual Report, with a deadline of July 31, 2027, to meet the new minimums. So, as you look at your information security and privacy policy, here are some questions and resources to help make sure it’s both accreditation-ready and community-centered.

Questions to Consider While Revising or Creating a Information Security and Privacy Policy:

• What is the library’s mission statement, and how is it reflected in the policy?
  • If the library’s mission emphasizes open and equal access to information, how does the policy’s treatment of collecting personally identifiable information when granting access to services support that?
  • If the library’s mission statement mentions serving as a trusted community resource, how does the policy describe what data the library collects, why it’s collected, how long it is retained, and how it is protected? 

• How will you manage information security and privacy?
  • Which library records and types of records are confidential (registration and library-card information, circulation and borrowing history, hold or reserve requests, interlibrary loans, program registrations, public computer usage, internet or Wi-Fi session logs, meeting-room reservations or facility usage, overdue or fines information, records that could link a patron to specific materials or services)?
  • What are the exceptions? When and how may information be shared (to the patron or authorized representative; when reasonably necessary for library operations; under valid court order or subpoena)?
  • Who will serve as the custodian of records and be responsible for processing any requests? What are the procedures for when staff receive requests for records?
  • What personal data will need to be collected to deliver services (cardholder info, necessary contact details)?
  • How long will circulation or usage data need to be retained for administrative, service, or legal purposes? What are the secure disposal procedures once retention is no longer necessary?
  • How will internal access to records be limited to authorized staff only? What requirements will there be regarding confidentiality training for staff?
  • How will patrons be notified that their library records are protected? How can patrons request and review their own records?
  • How will the library acknowledge that some library services (digital content providers, external databases, online registration, etc.) may be operated by third parties and that while the library will endeavor to use vendors that respect privacy, users should be aware of those vendors’ own privacy policies? How will the library ensure vendor contracts require compliance with the policy?
  • What will be the library’s law enforcement and subpoena response protocol? How will it track such disclosures?

• Are you working with an attorney?
  • Only an attorney can provide legal advice. This could be a City or County Attorney, an attorney on retainer, or an attorney on the board.
  • If you’re not currently working with an attorney, have you contacted other libraries in your area to see if there is someone they’d recommend?

General Suggestions for Library Policies:

• Use plain language: aim for a clear and concise summary that can be understood by any community member, even those that have never been to the library.

• Separate policy from procedure: a policy explains what the rules are, while a procedure explains how staff and patrons carry them out in practice. For example, a privacy policy might outline the principles guiding how the library collects, uses, stores, and protects patron information and ensure transparency while upholding the library’s commitment to confidentiality. Whereas, a privacy procedure would provide the step-by-step practices staff follow—such as how to securely handle requests for records, manage log data, verify identity, or respond to potential breaches—to implement that policy in day-to-day operations. Keeping policies and procedures separate will ensure that each document can be updated easily. 

• Review regularly: reviewing all policies on a regular schedule will help ensure they’re up to date and useful for patrons. It might be helpful to question: Is it a simple change in wording or is it broken? Could your grandmother understand the policy? Does your policy reflect the actual practice? Has the policy kept up with the times? Is there still a viable reason to have the policy? Finally, incorporating legal review by an attorney (a City Attorney, County Attorney, board member, etc.) is highly recommended.

• Have policies approved by the library’s governing authority: this adds legitimacy to library policies, and helps the governing authority understand how the library operates.

Trainings and Resources Related to Library Policies:

Writing Support

Policy Basics

Example Policies

***

If you’re in need of a thought partner or assistance finding Texas-specific examples while developing your library’s information security and privacy policy, don’t hesitate to reach out. Email our Library Development and Networking team at [email protected]